Security vulnerabilities are a primary attack vector that can lead to data breaches and business disruptions. Security Center scans your assets for five vulnerability types: Linux Software Vulnerability, Windows System Vulnerability, Web-CMS Vulnerability, Application Vulnerability, and Urgent Vulnerability. Identify and fix risks before an attack occurs.
How scanning works
Security Center uses two detection methods, which may run together during a single scan:
Software composition analysis (SCA) — passive detection: The Security Center agent collects software version and dependency library information from your servers and compares it against a vulnerability database. This method only analyzes software metadata and has no impact on your business systems.
Web scanner — active validation: The web scanner sends proof-of-concept (POC) requests from the internet to your application services, simulating attack behavior to confirm a vulnerability. This method detects high-risk vulnerabilities such as remote command execution and SQL injection. All requests are harmless probes and cause no damage to your systems.
The web scanner is not currently supported for assets in the Outside Chinese Mainland region hosted in the Singapore data center.
Supported editions and scan coverage
Subscription
| Edition | Manual scan | Automatic (periodic) scan |
|---|---|---|
| Enterprise and Ultimate | All vulnerability types | All vulnerability types |
| Advanced | All types except Application Vulnerability | — |
| Basic, Value-added Plan, and Anti-virus | Urgent Vulnerability only | Linux Software Vulnerability, Windows System Vulnerability, and Web-CMS Vulnerability |
Pay-as-you-go
| Protection level | Manual scan | Automatic (periodic) scan |
|---|---|---|
| Host Protection and Hosts and Container Protection | All vulnerability types | All vulnerability types |
| Unprotected and Antivirus | Urgent Vulnerability only | Linux Software Vulnerability, Windows System Vulnerability, and Web-CMS Vulnerability |
Prerequisites
Before you begin, ensure that you have:
(Required for web scanner) The Security Center scanning IP range added to your network whitelists — see Configure a network whitelist
Configure a network whitelist
The web scanner performs active validation by sending POC requests from the internet. Add the Security Center scanning IP range 47.110.180.32/27 (47.110.180.32 to 47.110.180.63) to the whitelists of your security groups and network firewalls.
If you do not add the scanning IP range to your whitelist, the web scanner's POC requests may be blocked. This prevents detection of Application Vulnerability and Urgent Vulnerability, or causes requests to be flagged as attacks.
POC validation requests may include the auxiliary domain
s0x.cn, used for application and urgent vulnerability detection. If this triggers an alert, ignore the alert or add a whitelist rule for it.
Configure a security group
If your server is an ECS instance, see Manage security groups and add an inbound rule with the following parameters:
| Parameter | Value |
|---|---|
| Direction | Inbound |
| Action | Allow |
| Protocol Type | TCP |
| Port Range | 1-65535 |
| Source | 47.110.180.32/27 |
Configure a firewall whitelist
If your server uses Web Application Firewall (WAF), see Configure whitelist rules to allow specific requests and add a whitelist rule with the following parameters:
| Parameter | Value |
|---|---|
| Match Field | IP |
| Logic | Belongs to |
| Match Content | 47.110.180.32/27 |
| Detection Modules to Skip | All |
Run a vulnerability scan
Security Center supports two scanning methods:
Manual scan: Immediately assess the vulnerability status of your servers on demand.
Automatic (periodic) scan: Set up recurring scan tasks for continuous vulnerability monitoring.
After a scan starts, the system creates a scan task and runs it in the background. View scan progress and results in Task Management.
Manual scan
Log on to the Security Center consoleSecurity Center consoleSecurity Center console. In the left-side navigation pane, choose Risk Governance > Vulnerabilities. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.Log on to the Security Center console.Log on to the Security Center console.
On the Vulnerabilities page, click Quick Scan. In the Vulnerability Scan dialog box, select the vulnerability types to scan for, and then click OK.
To scan specific servers instead of all servers, go to the Host page, select the target servers, click Security Check in the panel at the bottom of the page, and then select Vulnerabilities.
Automatic (periodic) scan
Security Center uses two scheduling approaches depending on the vulnerability type:
Default cycle (non-configurable) — applies to Linux Software Vulnerability, Windows System Vulnerability, and Web-CMS Vulnerability:
| Edition / Protection level | Scan frequency |
|---|---|
| Advanced, Enterprise, Ultimate / Host Protection, Hosts and Container Protection | Once per day |
| Basic, Value-added Plan, Anti-virus / Unprotected, Antivirus | Once every two days |
User-defined cycle — applies to Application Vulnerability and Urgent Vulnerability, available for: Subscription (Advanced, Enterprise, Ultimate) and Pay-as-you-go (Host Protection, Hosts and Container Protection).
To configure automatic scanning:
Log on to the Security Center consoleSecurity Center consoleSecurity Center console. In the left-side navigation pane, choose Risk Governance > Vulnerabilities. In the upper-left corner, select the region where your assets are located: Chinese Mainland or Outside Chinese Mainland.
On the Vulnerabilities page, click Vulnerability Settings in the upper-right corner and configure the settings:
| Setting | Description | Default |
|---|---|---|
| Vulnerability scan switch | Enable or disable scanning for each vulnerability type. After enabling a type, click Manage to specify the scan scope (target servers). | — |
| YUM/APT Source Configuration | When enabled, Alibaba Cloud official YUM/APT sources take priority for fixing Linux vulnerabilities, improving remediation success rates. | Disabled |
| Urgent Vulnerability Scan Cycle | Sets how often urgent vulnerability scan tasks run. Default scan window: Chinese Mainland: 00:00:00–07:00:00 (UTC+8); Outside Chinese Mainland: 00:00:00–07:00:00 (UTC+7). Applies to: Subscription (Advanced, Enterprise, Ultimate); Pay-as-you-go (Host Protection, Hosts and Container Protection). | — |
| Application Vulnerability Scan Cycle | Sets how often application vulnerability scan tasks run. Default scan window: Chinese Mainland: 00:00:00–07:00:00 (UTC+8); Outside Chinese Mainland: staggered across a 24-hour period. Applies to: Subscription (Enterprise, Ultimate); Pay-as-you-go (Host Protection, Hosts and Container Protection). | — |
| Retain Invalid Vulnerabilities For | Sets the cleanup period for stale vulnerabilities. Vulnerabilities that have not recurred and have not been handled for a long time are marked as stale and automatically archived to the "Handled" list. After the configured cleanup period, the system permanently deletes them. If Security Center detects the same vulnerability type in the future, a new alert is generated. | — |
| Vulnerability Scan Level | Sets the risk levels to scan for. Security Center only scans and reports vulnerabilities that match the selected levels. | — |
| Vulnerability Whitelist Settings | Add vulnerabilities that do not require remediation (for example, due to acceptable risk or special business requirements) to a whitelist. Whitelisted vulnerabilities are automatically ignored in subsequent scans. To edit or delete whitelist rules, click Vulnerability Whitelist Settings in the Vulnerability Settings panel. | — |
View scan tasks
On the Vulnerabilities page, click Task Management in the upper-right corner.
In the Actions column, click Details for a task to view its impact data, including Affected Servers, Successful Servers, and Failed Servers.
For successfully scanned servers, the Status column shows the scope of detected vulnerabilities. For failed scans, the Status column shows the failure reason.
View and handle vulnerabilities
On the Vulnerabilities page, go to the tab for the target vulnerability type, open the details page for a specific vulnerability, and follow the instructions to fix it. For remediation steps, see View and handle vulnerabilities.
Application Vulnerability and Urgent Vulnerability do not support one-click remediation from the console. Log on to the server and fix them manually using the suggestions in the vulnerability details.
One-click remediation is available for the following editions and vulnerability types:
| Service model | Edition / Protection level | Supported vulnerability types |
|---|---|---|
| Subscription | Enterprise and Ultimate | Linux Software Vulnerability, Windows System Vulnerability, Web-CMS Vulnerability |
| Subscription | Advanced | Linux Software Vulnerability, Windows System Vulnerability |
| Subscription | Basic, Value-added Plan, Anti-virus | Linux Software Vulnerability, Windows System Vulnerability (requires the Vulnerability Fix value-added service — see Purchase Security Center) |
Limitations
Stopping a scan: After creating a manual scan task, wait 15 minutes before stopping it from the Task Management page.
Scan duration: Scan completion time depends on the number of assets and vulnerability complexity. Scans typically finish within 30 minutes.
FAQ
Why does the same server report multiple instances of the same vulnerability?
Application vulnerability detection targets running process instances. If a server runs multiple instances of a process with the same vulnerability — for example, two identical Tomcat services started on different ports — Security Center reports a separate vulnerability entry for each process instance. If the vulnerable software is installed but not running, Security Center does not detect the vulnerability.
Why do scan results for vulnerabilities like Fastjson sometimes vary between scans?
Detection depends on whether the vulnerable component (such as a JAR package) is in a runtime state during the scan. In a dynamic loading model, Security Center detects the vulnerability only when business logic actively calls the vulnerable component. Run periodic or multiple scans to improve detection accuracy for these vulnerability types.
After the agent goes offline, why does the console still show vulnerability records for that host?
Security Center retains vulnerability records after the agent goes offline, but those records automatically become stale. You cannot perform any actions on stale records — such as fixing, verifying, or clearing them. Staleness periods by vulnerability type:
Linux Software Vulnerability and Windows System Vulnerability: 3 days
Web-CMS Vulnerability: 7 days
Application Vulnerability: 30 days
Urgent Vulnerability: 90 days
Security Center permanently deletes all data only if the service expires and is not renewed within 7 days.
Does vulnerability scanning or POC active validation affect business systems?
No impact in typical cases. Active validation sends only 1–2 harmless probe requests and performs no attacks or destructive actions. In rare cases, a minimal risk exists if the target application is exceptionally fragile when handling unexpected input.
Why does a vulnerability scan sometimes trigger an out-of-memory (OOM) error?
The Security Center agent has a configured memory limit (200 MB by default). If a scan exceeds this limit, the system's OOM mechanism terminates the detection process (ALiSecCheck) to conserve resources.
The memory limit is managed by a control group (cgroup) named aegisRtap0. OOM information appears in dmesg logs.This behavior is expected and does not indicate a system-wide memory shortage. No action is required.
This OOM error is caused by the cgroup's memory limit and does not indicate that the entire system is out of memory.
What is the scope of a vulnerability scan?
Scanning covers both the system and application layers:
System level: Linux Software Vulnerability and Windows System Vulnerability.
ImportantWindows System Vulnerability scanning is limited to monthly security update patches.
Application level: Web-CMS Vulnerability, Application Vulnerability, and Urgent Vulnerability.
How can I view the list of vulnerabilities that Security Center can detect?
Log on to the Security Center consoleSecurity Center consoleSecurity Center console.Log on to the Security Center console.
In the left-side navigation pane, click Vulnerabilities.
In the overview section, find the Disclosed Vulnerabilities statistics card and click the total number of vulnerabilities to open the full list.
Does Security Center support detection for specific vulnerabilities like Elasticsearch?
Yes. Detection results for vulnerabilities in services like Elasticsearch appear on the Application Vulnerability page in the console.
This feature requires Subscription (Enterprise or Ultimate) or Pay-as-you-go (Host Protection or Hosts and Container Protection). To access it, upgrade Security Center if your current edition does not support it.